21:00:16 #startmeeting 2018-04-04 discussion 21:00:16 Meeting started Wed Apr 4 21:00:16 2018 UTC. The chair is wking. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:16 Useful Commands: #action #agreed #help #info #idea #link #topic. 21:00:16 The meeting name has been set to '2018_04_04_discussion' 21:00:49 agenda: https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/B5qgXiKuQog 21:03:43 wking: thanks 21:05:14 #topic distribution-spec vote 21:05:28 if it didn't pass unanimously, it was pretty close 21:05:59 #topic certification 21:06:12 #link https://github.com/opencontainers/certification/issues/35 21:06:18 #link https://github.com/opencontainers/certification/issues/36 21:06:31 albanc: I'm trying to get the certification scope for the runtime spec 21:06:46 ^that's #36 21:07:02 albanc: Do we want to certify Docker and other higher-level engines? 21:07:17 albanc: I think for the moment we want to focus on runc and similar level runtimes 21:07:31 albanc: and for the image-spec, what is the certification focus 21:07:34 ^that's #35 21:07:53 albanc: is it just the image? Also registries? Conversion from the image-spec to a runtime bundle? 21:08:11 [caniszczyk, Open Container Initiative] the initial thought was on registries but happy to discuss more 21:09:22 vbatts|work: I don't know if there will be much demand for "this particular Redis build is certified" 21:09:42 vbatts|work: I think it will be more like the W3C HTML validator, where you can feed in your image and get a pass/fail 21:10:00 vbatts|work: and something like "everything from this registry is compliant" 21:10:23 cracra: I have some recollection of registries not supporting multi-arch 21:10:36 vbatts|work: so maybe red/green/yellow, with multi-arch being a warning? 21:10:49 vbatts|work: Conversion was a bit controversial originally 21:11:03 don't say "Alexa" :) 21:11:42 how can we certify implementations without specifying implementations? 21:11:47 stevvooe: ? 21:12:10 vbatts|work: you pass in something, but ... what are you passing in? 21:12:15 wking: it wasn't always as clear that they didn't support multi-arch; in many cases there were parts of the v2 API that were used mainly in supporting multi-arch that registries decided wasn't that important for their use case 21:12:35 stevvooe: like in Docker you have a container, what would you drive on the Docker API to certify it for OCI runtime support? 21:12:53 but definitely in some cases they were denying push when the manifest content-type was a "manifest-list" 21:13:03 mrunalp: for runtimes, it makes sense to certify the low-level runtimes (runc, hyper, ...) 21:13:25 crosbymichael: I think that makes the most sense. But how do we word things that use runc? 21:13:47 vbatts|work: are we talking about dusting off the CRI discussion? 21:14:24 stevvooe: the conversion doc is also problematic. What are we certifying? Do we certify a CLI? Do we certify the conversion spec, which I don't think is a good idea 21:14:39 mrunalp: for runc, it would be "if we implement a CLI we all agree on, then ..." 21:14:50 stevvooe: what if the implementation doesn't implement a random systemd flag? 21:14:58 mrunalp: then that flag shouldn't be in the CLI spec? 21:15:06 stevvooe: so which flags are in and which are out? 21:15:14 mrunalp: maintainers have to decide what makes sense 21:18:01 stevvooe: what value does this bring to the project? 21:18:48 [caniszczyk, Open Container Initiative] section 1 for the OCI charter https://www.opencontainers.org/about/governance "The Open Container Initiative provides an open source technical community within which industry participants may easily contribute to building a vendor-neutral, portable and open specification and runtime that deliver on the promise of containers as a source of application portability backed by a certificati 21:18:58 [caniszczyk, Open Container Initiative] that's where the certification program requirement comes from fyi 21:19:16 vbatts|work: rather than rat-holing on the point of it... folks want a tool to complaince test so they can get a green light 21:20:04 mrunalp: currently folk implementing a runtime have to reverse-engineer runc because we don't have an official spec 21:20:39 stevvooe: how often is this done? Once or twice a year? Certification is going to take a lot of effort/time 21:21:13 stevvooe: is the benefit that runc, ccrun, kata, etc. all have the same flags and run the same tests? 21:21:23 mrunalp: from a pluggable perspective, yes 21:21:38 stevvooe: but they're not pluggable, because the isolation primatives are different 21:21:55 mrunalp: we can have different flags for Windows/Linux 21:22:30 vbatts|work: when I floated the create, etc. JSON structure. The reason that discussion happened was because any platform could take a JSON data structure and not have to depend on how Windows or other OS does flags 21:22:54 vbatts|work: I think a CLI spec would be pretty isolated to the platform 21:23:34 What's the Windows option issue? Is it just -- vs. / conventions for options? 21:25:04 vbatts|work: circling back to certification#36 21:25:42 s/36/35/ 21:26:10 crosbymichael: would image compliance help after the distribution-spec is in? 21:26:39 I agree that the distribution-spec would help with validating registries for serving compliant images ;) 21:26:52 vbatts|work: we tried to make the layout for local images, but yeah 21:27:21 stevvooe: you have a test image, you push it to the registry, pull it from the registry, and run it 21:27:46 stevvooe: but when I look at an individual image implementation or OCI implementation, looking at the runtime or image spec, it seems like we're just burning up C02 21:28:23 albanc: does that mean that image certification should be done only with the distribution spec, not on disk? 21:28:34 vbatts|work: I think layouts on disk would be another line item 21:28:58 vbatts|work: originally that was for 'docker save' and 'docker load', but you could have the same digests you'd have in a registry 21:29:30 vbatts|work: especially for end-to-end certification, the cert group could publish a test image digest, and folks could fetch it, run it, and look for exit 0 21:29:45 crosbymichael: I don't think you want to look at runtime exit codes, those are completely separate 21:30:10 crosbymichael: were layouts just a stop-gap? How real is that use-case today? 21:30:28 crosbymichael: it may be less work overall if we're not making up things 21:31:14 crosbymichael: vbatts|work, you were talking about multi-arch validation? 21:31:57 vbatts|work: if an implementation couldn't fetch multi-arch images... It would be ideal if we had a big compliance up/down boolean. But in reality, it breaks down to implementing all the MUSTs and some SHOULDs so yellow 21:32:11 vbatts|work: not even picking on multi-arch per-se 21:32:27 crosbymichael: and we have two sides of certification, producers and consumers 21:32:31 vbatts|work: yup 21:33:09 vbatts|work: even building an image doesn't mean it complies with the spec. You can get an image in a few different ways and may want to test it before pushing it to a registry 21:33:24 vbatts|work: it would be good to be able to check each of those pieces at some point 21:34:02 vbatts|work: so albanc, I don't think anyone's in violent disagreement. It comes down to how, when you look at any one piece, if it's an implementation detail or a compliance issue 21:35:10 vbatts|work: the other piece would be if you somehow specify that runtimes should comply with whatever capabilities, seccomp, etc., you could hand it a bundle to see whether the runtime could do that 21:35:47 stevvooe: there is a way for the image if you take a hash, walk the hash for the manifest and layouts, etc. You could abstract out the fetching and run it on layouts or registries, and that's fine 21:36:10 stevvooe: I think there's less use for layer extraction, where it's tar based, and there are 40 years of inconsistent tar implementations 21:36:34 #link https://github.com/opencontainers/image-spec/pull/342 21:36:37 ^ tar spec ;) 21:37:05 stevvooe: but some of these do need to be left as implementation details 21:37:24 crosbymichael: would it help if we had two working groups, one for the runtime and one for images? 21:37:45 crosbymichael: and say, this is what we're certifying and this is what we're not? 21:38:02 Isn't that what runtime-tools is already? 21:38:56 crosbymichael: but runtime-tools and runtime-spec maintainers are running in parallel now 21:39:02 mrunalp: yeah, that makes sense to me 21:39:18 [caniszczyk, Open Container Initiative] we attempted to try to do this awhile ago, it needs some love from the maintainers https://github.com/opencontainers/certification#certification 21:39:28 vbatts|work: what's out from the existing certification group? Does it come down to this level of thing? 21:39:48 cracra: We talked about the process, whether it would be self-cert or peer-cert, etc. 21:40:04 albanc: is there a certification project? 21:40:15 cracra: it's not an OCI Project, it was under the trademark board 21:40:31 cracra: I think outside of mrunalp the maintainers weren't involved in that effort 21:40:34 apologies; have to run for today 21:41:05 crosbymichael: when I proposed working groups, I didn't mean a separate thing. I just meant a quick "let's work up a document" to say what gets checked, e.g. yes runc, no CRI-O 21:41:27 crosbymichael: and then vbatts|work's idea of pushing in a payload, we work that up after we know what we're going to certify and how 21:41:42 vbatts|work: I'm not opposed to a working group 21:42:16 cracra: if a working group is justed a google doc, I'm ok with that 21:42:26 cracra: as async as possible is best 21:43:01 #action cracra to open a certification-scoping Google doc 21:43:19 crosbymichael: and our focus will be on the low-level stuff 21:43:39 cracra: exactly. The trademark can take care of the legal stuff, and this can be about what is actually certifiable 21:44:15 #topic runtime-spec 1.1 21:45:12 #link https://github.com/opencontainers/runtime-spec/pull/942 21:45:21 #link https://github.com/opencontainers/runtime-spec/pull/949 21:45:36 ^the two minor-level changes since 1.0.1 21:45:55 what happens to runc? Will there be a 1.0 runc for the 1.0 runtime-spec? 21:46:10 mrunalp: we should meet and hash out the runc release 21:46:29 crosbymichael: or we can get a runc 1.0 out first and then circle back to runtime-spec 1.1 21:46:35 vbatts|work: so hold on runtime-spec 1.1? 21:46:38 crosbymichael: yeah 21:47:01 crosbymichael: there are also discussions about arguments going to the hypervisor 21:47:13 #link https://github.com/opencontainers/runtime-spec/pull/949#discussion_r178318374 21:47:26 agree.. let's ga runc rc.6? before moving to 1.1 21:47:54 vbatts|work: we should open an issue about that 21:48:42 tyranny to the implementation! 21:49:00 crosbymichael: if everyone is looking at runc, then the only one that's wrong is runtime-tools 21:49:53 I think there are some issues with the runc API, but we probably won't settle those in the next 10 minutes 21:50:06 #action crosbymichael to file an issue for https://github.com/opencontainers/runtime-spec/pull/949#discussion_r178318374 21:50:14 crosbymichael: https://github.com/opencontainers/runtime-spec/milestone/17 21:50:16 or maybe that was a vbatts|work action item 21:50:55 #link https://github.com/opencontainers/runtime-spec/milestone/9 21:51:42 vbatts|work: hmm, maybe v1.Y.0 is more of a label than a milestone 21:51:49 #topic distribution-spec project 21:52:03 vbatts|work: crosbymichael added his LGTM, so the vote is complete 21:52:18 #topic Copenhagen 21:52:23 cracra: albanc will be there 21:52:44 #topic distribution-spec 21:52:51 we plan on announcing this next week 21:53:09 stevvooe: when do you want me to drop the spec as it exists now? 21:53:27 cracra: before the 9th, when we announce it, so folks can look at it then 21:53:46 cracra: I've setup a GitHub group, and a maintainer set, etc. 21:54:06 stevvooe: I plan on decoupling the spec from route definitions, because the spec is currently generated from Go route definitions 21:54:14 vbatts|work: you don't want to carry that over? 21:54:26 stevvooe: yeah, it's fairly coupled to the implementation 21:54:39 stevvooe: and we could use that to generate some OAI 21:54:55 vbatts|work: whatever's easiest 21:55:07 cracra: yeah, and we can do OAI later down the line; whatever works 21:55:12 vbatts|work: anything else? 21:55:20 #endmeeting